From: "Mikko Rapeli" <mikko.rapeli@bmw.de>
To: <akuster808@gmail.com>
Cc: <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [[PATCH] cve-check.bbclass: allow skiping non pbn
Date: Mon, 15 Feb 2021 07:51:45 +0000 [thread overview]
Message-ID: <YCooECLAFp0akfsC@korppu> (raw)
In-Reply-To: <20210214232027.2354161-1-akuster808@gmail.com>
Hi,
On Sun, Feb 14, 2021 at 11:20:27PM +0000, akuster wrote:
> I don't see the point in logging native, nativesdk etc.
> The bottom line is the BPN has the issue.
While I agree to some part and do alot of:
$ cd build/tmp/deploy/cve
$ less $( grep -l Unpatched * | \
egrep -v -- '-native|-nativesdk|-cross-|-crosssdk' )
I do find that fixing build tooling CVEs is a good idea since
they downloads stuff from the Internet.
Hence I'm not sure I like this filter. Maybe at least
rename CVE_CHECK_MANIFEST_FILTER to CVE_CHECK_FILTER_BUILD_TOOLS
which makes this a bit more clear.
Cheers,
-Mikko
> Allow folks to filter out those other package name variations via
> CVE_CHECK_MANIFEST_FILTER
>
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
> meta/classes/cve-check.bbclass | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 112ee3379d3..0d33d5a530c 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -59,6 +59,7 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
> # Layers to be included
> CVE_CHECK_LAYER_INCLUDELIST ??= ""
>
> +CVE_CHECK_MANIFEST_FILTER ??="0"
>
> # set to "alphabetical" for version using single alphabetical character as increament release
> CVE_VERSION_SUFFIX ??= ""
> @@ -96,6 +97,13 @@ python do_cve_check () {
> """
>
> if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
> + if d.getVar("CVE_CHECK_MANIFEST_FILTER") == "1":
> + # drop native, nativesdk, cross, etc
> + bpn = d.getVar("BPN")
> + pn = d.getVar("PN")
> + if bpn != pn:
> + return
> +
> try:
> patched_cves = get_patches_cves(d)
> except FileNotFoundError:
> @@ -164,6 +172,7 @@ def get_patches_cves(d):
> import re
>
> pn = d.getVar("PN")
> +
> cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
>
> # Matches last CVE-1234-211432 in the file name, also if written
> --
> 2.25.1
>
>
>
>
next prev parent reply other threads:[~2021-02-15 7:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-14 23:20 [[PATCH] cve-check.bbclass: allow skiping non pbn akuster
2021-02-15 7:51 ` Mikko Rapeli [this message]
2021-02-15 17:00 ` [OE-core] " akuster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YCooECLAFp0akfsC@korppu \
--to=mikko.rapeli@bmw.de \
--cc=akuster808@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.